1. Documentation
    2. history
×

Examining images for vulnerabilities

With Red Hat Advanced Cluster Security for Kubernetes you can analyze images for vulnerabilities. Scanner analyzes all image layers to check for known vulnerabilities by comparing them with the Common Vulnerabilities and Exposures (CVEs) list.

When Scanner finds any vulnerabilities, it:

  • Shows them in the Vulnerability Management view for detailed analysis.

  • Ranks vulnerabilities according to risk and highlights them in the RHACS portal for risk assessment.

  • Checks them against enabled security policies.

Scanner inspects the images and identifies the installed components based on the files in the images. It may fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:

Components Files

Package managers

  • /etc/alpine-release

  • /etc/apt/sources.list

  • /etc/lsb-release

  • /etc/os-release or /usr/lib/os-release

  • /etc/oracle-release, /etc/centos-release, /etc/redhat-release, or /etc/system-release

  • Other similar system files.

Language-level dependencies

  • package.json for JavaScript.

  • dist-info or egg-info for Python.

  • MANIFEST.MF in Java Archive (JAR) for Java.

Application-level dependencies

  • dotnet/shared/Microsoft.AspNetCore.App/

  • dotnet/shared/Microsoft.NETCore.App/

Scanning images

Central submits image scanning requests to Scanner. Upon receiving these requests, Scanner pulls the image layers from the relevant registry, checks the images, and identifies installed packages in each layer. Then it compares the identified packages and programming language-specific dependencies with the vulnerability lists and sends information back to Central.

You can also integrate Red Hat Advanced Cluster Security for Kubernetes with another vulnerability scanner.

Scanner identifies the vulnerabilities in the:

  • base image operating system

  • packages that are installed by the package managers

  • programming language specific dependencies

  • programming runtimes and frameworks

Understanding and addressing common Scanner warning messages

When scanning images with Red Hat Advanced Cluster Security for Kubernetes (RHACS), you might see the CVE DATA MAY BE INACCURATE warning message. Scanner displays this message when it cannot retrieve complete information about the operating system or other packages in the image.

The following table shows some common Scanner warning messages:

Table 1. Warning messages
Message Description

Unable to retrieve the OS CVE data, only Language CVE data is available

Indicates that Scanner does not officially support the base operating system of the image; therefore, it cannot retrieve CVE data for the operating system-level packages.

Stale OS CVE data

Indicates that the base operating system of the image has reached end-of-life, which means the vulnerability data is outdated. For example, Debian 8 and 9.

For more information about the files needed to identify the components in the images, see Examining images for vulnerabilities.

Failed to get the base OS information

Indicates that Scanner scanned the image, but was unable to determine the base operating system used for the image.

Failed to retrieve metadata from the registry

Indicates that the target registry is unreachable on the network. The cause could be a firewall blocking docker.io, or an authentication issue preventing access.

To analyze the root cause, create a special registry integration for private registries or repositories to get the pod logs for RHACS Central. For instructions on how to do this, see Integrating with image registries.

Image out of scope for Red Hat Vulnerability Scanner Certification

Indicates that Scanner scanned the image, but the image is old and does not fall within the scope of Red Hat Scanner Certification. For more information, see Partner Guide for Red Hat Vulnerability Scanner Certification.

If you are using a Red Hat container image, consider using a base image newer than June 2020.

Supported package formats

Scanner can check for vulnerabilities in images that use the following package formats:

  • yum

  • microdnf

  • apt

  • apk

  • dpkg

  • RPM

Supported programming languages

Scanner can check for vulnerabilities in dependencies for the following programming languages:

  • Java

  • JavaScript

  • Python

  • Ruby

Supported runtimes and frameworks

Beginning from Red Hat Advanced Cluster Security for Kubernetes 3.0.50 (Scanner version 2.5.0), Scanner identifies vulnerabilities in the following developer platforms:

  • .NET Core

  • ASP.NET Core

Supported operating systems

The supported platforms listed in this section are the distributions in which Scanner identifies vulnerabilities, and it is different from the supported platforms on which you can install Red Hat Advanced Cluster Security for Kubernetes.

Scanner identifies vulnerabilities in images that contain the following Linux distributions:

Distribution Version

Alpine Linux

alpine:v3.2, alpine:v3.3, alpine:v3.4, alpine:v3.5, alpine:v3.6, alpine:v3.7, alpine:v3.8, alpine:v3.9, alpine:v3.10, alpine:v3.11, alpine:v3.12, alpine:v3.13, alpine:v3.14, alpine:v3.15, alpine:v3.16, alpine:edge

Amazon Linux

amzn:2018.03, amzn:2

CentOS

centos:6, centos:7, centos:8

Debian

debian:9, debian:10, debian:11, debian:unstable

Red Hat Enterprise Linux (RHEL)

rhel:6, rhel:7, rhel:8, rhel:9

Ubuntu

ubuntu:14.04, ubuntu:16.04, ubuntu:18.04, ubuntu:20.04, ubuntu:21.10, ubuntu:22.04

  • Scanner does not support the Fedora operating system because Fedora does not maintain a vulnerability database. However, Scanner still detects language-specific vulnerabilities in Fedora-based images.

  • Scanner also identifies vulnerabilities in the following images. However, the vulnerability sources are not updated anymore by their vendor:

    Distribution Version

    Debian

    debian:8

    Ubuntu

    ubuntu:12.04, ubuntu:12.10, ubuntu:13.04, ubuntu:14.10, ubuntu:15.04, ubuntu::15.10, ubuntu::16.10, ubuntu:17.04, ubuntu:17.10, ubuntu:18.10, ubuntu:19.04, ubuntu:19.10, ubuntu:20.10, ubuntu:21.04

Periodic scanning of images

Red Hat Advanced Cluster Security for Kubernetes periodically scans all active images and updates the image scan results to reflect the latest vulnerability definitions. Active images are the images you have deployed in your environment.

From Red Hat Advanced Cluster Security for Kubernetes 3.0.57, you can enable automatic scanning of inactive images by configuring the Watch setting for images.

Central fetches the image scan results for all active images from Scanner or other integrated image scanners that you use and updates the results every 4 hours.

You can also use the roxctl CLI to check the image scan results on demand.

Scanning inactive images

Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.

You can also configure RHACS to scan inactive (not deployed) images automatically.

Procedure

  1. On the RHACS portal, navigate to Vulnerability Management > Dashboard.

  2. On the Dashboard view header, select IMAGES.

  3. Click MANAGE WATCHES to manage the scanning of watched images.

  4. In the MANAGE WATCHED IMAGES dialog, enter the inactive image’s name for which you want to enable scanning.

    Verify that you enter the name of the image and not the image id. Image name is the fully-qualified image name, beginning with the registry and ending with the tag. For example, docker.io/vulnerables/cve-2017-7494:latest.

  5. Select ADD IMAGE. RHACS then scans the image and shows the error or success message.

  6. (Optional) Click REMOVE WATCH to remove an image from the watchlist.

    On the RHACS portal, click Platform Configuration > System Configuration to view the data retention configuration.

    All the data related to the image removed from the watchlist continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over.

  7. Select RETURN TO IMAGE LIST to view the IMAGES page.

Fetching vulnerability definitions

In online mode, Central fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources that include multiple Linux distributions and the National Vulnerability Database, and it refreshes every hour.

  • The address of the feed is https://definitions.stackrox.io.

  • You can change the default query frequency for Central by setting the ROX_SCANNER_VULN_UPDATE_INTERVAL environment variable:

    $ oc -n stackrox set env deploy/central ROX_SCANNER_VULN_UPDATE_INTERVAL=<value> (1)
    1 If you use Kubernetes, enter kubectl instead of oc.

Scanner’s configuration map still has an updater.interval parameter for configuring Scanner’s updating frequency, but it no longer includes the fetchFromCentral parameter.

Understanding vulnerability scores

In the RHACS portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. Red Hat Advanced Cluster Security for Kubernetes shows the CVSS score based on the following criteria:

  • If a CVSS v3 score is available, Red Hat Advanced Cluster Security for Kubernetes shows the score and lists v3 along with it. For example, 6.5 (v3).

    CVSS v3 scores are only available if you are using Scanner version 1.3.5 and newer.

  • If a CVSS v3 score is not available, Red Hat Advanced Cluster Security for Kubernetes shows only the CVSS v2 score. For example, 6.5.

You can use the API to get the CVSS scores. If CVSS v3 information is available for a Common Vulnerabilities and Exposures (CVE), the response includes both CVSS v3 and CVSS v2 information.

For some CVEs, the Red Hat Security Advisory (RHSA) CVSS score may differ from the CVSS score visible in the RHACS portal. This difference is because one RHSA can contain multiple CVEs, and Red Hat sometimes assigns a different score based on how a vulnerability affects other Red Hat products.

In such cases, Red Hat Advanced Cluster Security for Kubernetes:

  • Finds the highest-scoring CVE from the National Vulnerability Database (NVD) and shows its score as the CVSS score for the RHSA.

  • Breaks out each CVE in the RHSA as a separate vulnerability with its original CVSS score (from the NVD), so that you can view each one and create policies for specific CVEs.

Additional resources

Viewing images in your environment

With Red Hat Advanced Cluster Security for Kubernetes you can view the details for all container images in your clusters.

Procedure

  1. Navigate to the RHACS portal and click Vulnerability Management from the left-hand navigation menu.

  2. To view details for all the images in your cluster, select Images on the Vulnerability Management view header.

Viewing the Dockerfile for an image

Use the Vulnerability Management view to find the root cause of vulnerabilities in an image. You can view the Dockerfile and find exactly which command in the Dockerfile introduced the vulnerabilities and all components that are associated with that single command.

The Dockerfile section shows information about:

  • All the layers in the Dockerfile

  • The instructions and their value for each layer

  • The components included in each layer

  • The number of CVEs in components for each layer

When there are components introduced by a specific layer, you can select the expand icon to see a summary of its components. If there are any CVEs in those components, you can select the expand icon for an individual component to get more details about the CVEs affecting that component.

Procedure

  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. Select an image from either the Top Riskiest Images widget or click the Images button at the top of the Dashboard and select an image.

  3. In the Image details view, next to Dockerfile, select the expand icon to see a summary of instructions, values, creation date, and components.

  4. Select the expand icon for an individual component to view more information.

Identifying the container image layer that introduces vulnerabilities

Use the Vulnerability Management view to identify vulnerable components and the image layer they appear in.

Procedure

  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. Select an image from either the Top Riskiest Images widget or click the Images button at the top of the Dashboard and select an image.

  3. In the Image details view, next to Dockerfile, select the expand icon to see a summary of image components.

  4. Select the expand icon for specific components to get more details about the CVEs affecting the selected component.

Identifying Dockerfile lines in images that introduced components with CVEs

You can identify specific Dockerfile lines in an image that introduced components with CVEs.

Procedure

To view a problematic line:

  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. Select an image from either the Top Riskiest Images widget or click the Images button at the top of the Dashboard and select an image.

  3. In the Image details view, under Image Findings, CVEs are listed in the Observed CVEs, Deferred CVEs, and False positive CVEs tabs.

  4. Locate the CVE you want to examine further. In the Affected Components column, click on the <number> Components link to view a list of components affected by the CVE. You can perform the following actions in this window:

    • Select the expand icon next to a specific component to view the Dockerfile line in the image that introduced the CVE. To address the CVE, you need to change this line in the Dockerfile; for example, you can upgrade the component.

    • Click the name of the component to go to the Component Summary page and view more information about the component.

Identifying the operating system of the base image

Use the Vulnerability Management view to identify the operating system of the base image.

Procedure

  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. From the Vulnerability Management view header, select Images.

  3. View the base operating system (OS) and OS version for all images under the Image OS column.

  4. Select an image to view its details. The base operating system is also available under the Image SummaryDetails and Metadata section.

Red Hat Advanced Cluster Security for Kubernetes lists the Image OS as unknown when either:

  • The operating system information is not available, or

  • If the image scanner in use does not provide this information.

Docker Trusted Registry, Google Container Registry, and Anchore do not provide this information.

Disabling language-specific vulnerability scanning

Scanner identifies the vulnerabilities in the programming language-specific dependencies by default. You can disable the language-specific dependency scanning.

Procedure

  • To disable language-specific vulnerability scanning, run the following command:

    $ oc -n stackrox set env deploy/scanner \ (1)
  ROX_LANGUAGE_VULNS=false (2)
    1 If you use Kubernetes, enter kubectl instead of oc.
    2 If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.47 or older, replace the environment variable name ROX_LANGUAGE_VULNS with LANGUAGE_VULNS.

Additional resources

  • For more information about Common Vulnerabilities and Exposures (CVEs), see the Red Hat CVE Database.